CERT

Appendix B

Summary of Corrective Actions

The following pages summaries the corrective actions listed in the CERT®/CC records. Table B.1 presents the data in tabular form. This table shows the following for each category:

  1. First report - The reporting date of the earliest incident where the action was recorded.
  2. Mean Report - The mean reporting date for all incidents where the action was recorded.
  3. Last Report - The reporting date of the last incident where the action was recorded.
  4. Incidents - The total number of incidents reporting the action.
  5. Delta - The difference between the Mean Reporting Dates for the incidents reporting the action and the Mean Reporting Date for all incidents.

This same data is plotted in Figures B.1 to B.6. The first four of these Figures present the internal corrective actions, and the external corrective actions are presented in the last two Figures.

Of the 4,299 incidents, 1.5% (63) of the incident reports recorded no corrective actions. The remaining 98.5% (4,236) of the incident reports record as a minimum some indication that one of more sites involved were notified. This corrective action (notifying sites) is not listed in Table B.1 or in the Figures after that. The Table and Figures show the other corrective actions that are recorded in 1,388 (32.3%) if the incidents in the CERT®/CC records.


Table B.1. Corrective Actions
First Report
Mean Report
Last Report
Incidents
Delta
all
1-Oct-88
24-Oct-93
30-Dec-95
4299
0.0
All Corrective Actions
1-Oct-88
10-Oct-93
30-Dec-95
1388
-13.9
Internal Actions
30-Nov-88
4-Oct-93
30-Dec-95
1137
-20.3
Restrict System Hardware/Software
5-Dec-88
30-Dec-93
30-Dec-95
674
66.6
disable tftp
22-Jun-93
22-Jun-93
22-Jun-93
1
-124.4
disable ftp
1-Jul-93
28-Jul-93
25-Aug-93
2
-87.9
wrapper
12-Aug-93
12-Aug-93
12-Aug-93
1
-73.4
close account(s)
1-Sep-89
29-Oct-93
28-Dec-95
460
5.1
firewall
1-Apr-90
4-Dec-93
10-Oct-95
4
40.9
disconnect
5-Dec-88
5-Jan-94
24-Dec-95
124
72.8
filter
1-Apr-90
31-Aug-94
30-Dec-95
162
310.6
restrict logins
25-Nov-94
19-Dec-94
12-Jan-95
2
420.6
delete .rhosts
22-Jul-94
12-Mar-95
31-Oct-95
2
503.6
Configure System Hardware/Software
30-Nov-89
8-Jun-93
24-Dec-95
447
-137.5
restrict server
27-Aug-90
3-Apr-92
21-Feb-95
38
-568.6
change permissions
19-May-92
19-May-92
19-May-92
1
-523.4
secure server/router
5-Dec-88
16-May-93
13-Dec-95
140
-160.8
change password(s)
22-Aug-89
23-Jul-93
24-Dec-95
310
-92.5
change configuration
10-Aug-95
17-Sep-95
26-Oct-95
2
693.1
Upgrade System Hardware/Software
30-Nov-88
11-Oct-93
28-Dec-95
367
-13.0
add traps
1-Apr-90
24-May-91
16-Jul-92
2
-883.9
patch
30-Nov-88
10-Aug-93
28-Dec-95
200
-74.5
upgrade software
20-Sep-89
13-Dec-93
20-Dec-95
81
50.1
reload software/system
30-Oct-89
18-Jan-94
20-Dec-95
161
86.0
Preventive Measures
5-Dec-88
22-Mar-93
19-Dec-95
245
-215.9
spy
29-Jan-91
29-Jan-91
1-Jan-91
1
-999.4
checklist
5-Dec-88
17-Mar-92
7-Dec-94
4
-586.1
increase monitoring
1-Sep-89
28-Oct-92
19-Dec-95
143
-360.6
cops
1-Apr-90
3-Jun-93
6-Aug-95
75
-142.7
crack
18-Oct-89
31-Dec-93
20-Oct-95
28
68.3
tripwire
19-Sep-92
5-Aug-94
25-Oct-95
26
285.1
publish reports
2-May-95
2-May-95
2-May-95
1
554.6
talk to all users
26-Jul-95
22-Aug-95
19-Sep-95
2
667.1
Miscellaneous Measures
delete worm
22-Dec-88
22-Dec-88
22-Dec-88
1
-1767.4
refer to assist
23-Aug-93
23-Aug-93
23-Aug-93
1
-62.4
External Actions
1-Oct-88
23-Oct-93
30-Dec-95
478
-0.9
Take Action Against Intruder
5-Dec-88
14-Nov-93
30-Dec-95
295
20.7
arrest
1-Nov-89
9-Apr-93
7-Dec-95
27
-197.6
talk to intruder(s)
5-Dec-88
2-Dec-93
30-Dec-95
273
39.2
punish
11-Apr-91
20-Nov-94
19-Dec-95
23
392.1
Law Enforcement
1-Oct-88
30-Aug-93
28-Dec-95
237
-55.4
trace
1-Apr-90
1-Apr-90
1-Apr-90
1
-1302.4
investigate
27-Jun-90
27-Jun-90
27-Jun-90
1
-1215.4
secret service
1-Oct-88
30-Sep-92
18-Apr-95
19
-389.2
law enforcement
1-Oct-88
24-Dec-92
7-Mar-95
3
-304.1
police
29-Jun-89
30-Aug-93
28-Dec-95
141
-55.4
fbi
2-Oct-89
20-Sep-93
6-Dec-95
110
-33.9

Figure B.1. Range and Mean Incident Reporting Dates for Corrective Actions - Restrict System Hardware/Software

Large black squares indicate the mean reporting date of the incidents in that category. The first and last reporting dates are indicated by the vertical line. The number of incident records which record the particular corrective action are given by the numbers at the bottom of each column in the chart. The letters and numbers at the bottom of the chart indicate the specific corrective actions or groups as follows:

A - All Incidents 1 - Disable TFTP 6 - Disconnect from Internet

B - All Corrective Actions 2 - Disable FTP 7 - Filter network traffic

C - All Internal Actions 3 - Install TCP wrapper 8 - Restrict logins

D - All Restrict Hardware/Software Actions 4 - Close account(s) 9 - Delete .rhost file(s)

5 - Install firewall

Figure B.2. Range and Mean Incident Reporting Dates for Corrective Actions - Configure System Hardware/Software

Large black squares indicate the mean reporting date of the incidents in that category. The first and last reporting dates are indicated by the vertical line. The number of incident records which record the particular corrective action are given by the numbers at the bottom of each column in the chart. The letters and numbers at the bottom of the chart indicate the specific corrective actions or groups as follows:

A - All Incidents D - All Restrict Hardware/Software Actions 3 - Secure server/router

B - All Corrective Actions 1 - Restrict server 4 - Change password(s)

C - All Internal Actions 2 - Change permissions 5 - Change configuration

Figure B.3. Range and Mean Incident Reporting Dates for Corrective Actions - Upgrade System Hardware/Software

Large black squares indicate the mean reporting date of the incidents in that category. The first and last reporting dates are indicated by the vertical line. The number of incident records which record the particular corrective action are given by the numbers at the bottom of each column in the chart. The letters and numbers at the bottom of the chart indicate the specific corrective actions or groups as follows:

A - All Incidents D - All Restrict Hardware/Software Actions 3 - Upgrade software

B - All Corrective Actions 1 - Add traps 4 - Reload software/router

C - All Internal Actions 2 - Patch software

Figure B.4. Range and Mean Incident Reporting Dates for Corrective Actions - Preventive Measures

Large black squares indicate the mean reporting date of the incidents in that category. The first and last reporting dates are indicated by the vertical line. The number of incident records which record the particular corrective action are given by the numbers at the bottom of each column in the chart. The letters and numbers at the bottom of the chart indicate the specific corrective actions or groups as follows:

A - All Incidents 1 - Spy 5 - Crack

B - All Corrective Actions 2 - Checklist 6 - Tripwire

C - All Internal Actions 3 - Increasing monitoring 7 - Publish reports

D - All Restrict Hardware/Software Actions 4 - Cops 8 - Talk to all users

Figure B.5. Range and Mean Incident Reporting Dates for Corrective Actions - Take Action Against Intruder

Large black squares indicate the mean reporting date of the incidents in that category. The first and last reporting dates are indicated by the vertical line. The number of incident records which record the particular corrective action are given by the numbers at the bottom of each column in the chart. The letters and numbers at the bottom of the chart indicate the specific corrective actions or groups as follows:

A - All Incidents D - All Actions Against Intruder 2 - Talk to intruder(s)

B - All Corrective Actions 1 - Arrest 3 - Punish

C - All External Actions

Figure B.6. Range and Mean Incident Reporting Dates for Corrective Actions - Law Enforcement

Large black squares indicate the mean reporting date of the incidents in that category. The first and last reporting dates are indicated by the vertical line. The number of incident records which record the particular corrective action are given by the numbers at the bottom of each column in the chart. The letters and numbers at the bottom of the chart indicate the specific corrective actions or groups as follows:

A - All Incidents 1 - Trace 4 - Other law enforcement

B - All Corrective Actions 2 - Investigate 5 - Police

C - All External Actions 3 - Secret Service 6 - FBI

D - All Law Enforcement Actions

Back to the Table of Contents
Back to Appendix A   [B]    Forwards to References